← back
CVE-2019-5736

CVE-2019-5736

EPSS 98.6%
runc through 1.0-rc6, as used in Docker before 18.09.2 and other products, allows attackers to overwrite the host runc binary (and consequently obtain host root access) by leveraging the ability to execute a command as root within one of these types of containers: (1) a new container with an attacker-controlled image, or (2) an existing container, to which the attacker previously had write access, that can be attached with docker exec. This occurs because of file-descriptor mishandling, related to /proc/self/exe.
Affected products
n/a · n/a
public PoCs found34
githubgithub.com/Frichetten/CVE-2019-5736-PoC657githubgithub.com/q3k/cve-2019-5736-poc209githubgithub.com/twistlock/RunC-CVE-2019-573686githubgithub.com/jas502n/CVE-2019-573614githubgithub.com/agppp/cve-2019-5736-poc7githubgithub.com/epsteina16/Docker-Escape-Miner3githubgithub.com/panzouh/Docker-Runc-Exploit1githubgithub.com/b3d3c/poc-cve-2019-57361githubgithub.com/likekabin/CVE-2019-57361githubgithub.com/GiverOfGifts/CVE-2019-5736-Custom-Runtime1githubgithub.com/milloni/cve-2019-5736-exp1githubgithub.com/Billith/CVE-2019-5736-PoC0githubgithub.com/BBRathnayaka/POC-CVE-2019-57360githubgithub.com/shen54/IT191720880githubgithub.com/h3x0v3rl0rd/CVE-2019-57360githubgithub.com/fahmifj/Docker-breakout-runc0githubgithub.com/si1ent-le/CVE-2019-57360githubgithub.com/takumak/cve-2019-5736-reproducer0githubgithub.com/sonyavalo/CVE-2019-5736-Dockerattack-and-security-mechanism0githubgithub.com/Perimora/cve_2019-5736-PoC0githubgithub.com/sastraadiwiguna-purpleeliteteaming/Holistic-Deconstruction-of-CVE-2019-5736-0githubgithub.com/likekabin/cve-2019-5736-poc0githubgithub.com/yyqs2008/CVE-2019-5736-PoC-20githubgithub.com/stillan00b/CVE-2019-57360githubgithub.com/RyanNgWH/CVE-2019-5736-POC0githubgithub.com/Lee-SungYoung/cve-2019-5736-study0githubgithub.com/h-wookie/cve-2019-5736-poc0githubgithub.com/geropl/CVE-2019-57360exploitdbwww.exploit-db.com/exploits/46369unverifiedcve_referencepacketstormsecurity.com/files/165197/Docker-runc-Command-Execution-Proof-Of-Concept.htmlunverifiedcve_referencewww.exploit-db.com/exploits/46359/unverifiedcve_referencewww.exploit-db.com/exploits/46369/unverifiedexploitdbwww.exploit-db.com/exploits/46359unverifiedcve_referencepacketstormsecurity.com/files/163339/Docker-Container-Escape.htmlunverified
⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →
References
http://lists.opensuse.org/opensuse-security-announce/2019-03/msg00044.htmlhttp://lists.opensuse.org/opensuse-security-announce/2019-04/msg00074.htmlhttp://lists.opensuse.org/opensuse-security-announce/2019-04/msg00091.htmlhttp://lists.opensuse.org/opensuse-security-announce/2019-05/msg00060.htmlhttp://lists.opensuse.org/opensuse-security-announce/2019-05/msg00073.htmlhttp://lists.opensuse.org/opensuse-security-announce/2019-06/msg00011.htmlhttp://lists.opensuse.org/opensuse-security-announce/2019-06/msg00015.htmlhttp://lists.opensuse.org/opensuse-security-announce/2019-08/msg00084.htmlhttp://lists.opensuse.org/opensuse-security-announce/2019-10/msg00007.htmlhttp://lists.opensuse.org/opensuse-security-announce/2019-10/msg00029.htmlhttp://packetstormsecurity.com/files/163339/Docker-Container-Escape.htmlhttp://packetstormsecurity.com/files/165197/Docker-runc-Command-Execution-Proof-Of-Concept.html